b'             OFFICE OF\n      THE INSPECTOR GENERAL\n\n  SOCIAL SECURITY ADMINISTRATION\n\n            CLOUD COMPUTING\n                 AT THE\n     SOCIAL SECURITY ADMINISTRATION\n\n\n      September 2012   A-14-12-11226\n\n\n\n\nEVALUATION REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 24, 2012                                                   Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Cloud Computing at the Social Security Administration (A-14-12-11226)\n\n\n           OBJECTIVE\n           Our objectives were to (1) assess the Social Security Administration\xe2\x80\x99s (SSA) plan to\n           move computer services to a cloud, (2) determine the risks associated with moving\n           computer services to a cloud, and (3) identify opportunities to save monies by\n           partnering with other Federal agencies in moving computer services to a cloud.\n\n           BACKGROUND\n           Cloud computing is a general term for anything that involves delivering hosted services\n           over the Internet. The name cloud computing was inspired by the cloud symbol that is\n           often used to represent the Internet in flowcharts and diagrams.\n\n           According to the National Institute of Standards and Technology (NIST), cloud\n           computing is a model for enabling convenient, on-demand access to a shared pool of\n           configurable computing resources (for example, networks, servers, storage, applications\n           and services) that can be rapidly provisioned and released with minimal management\n           effort or service provider interaction. 1 The cloud may be owned, managed, and\n           operated by an organization, a third party, or a combination of the two, and it may exist\n           on or off the organization\xe2\x80\x99s premises. Cloud computing can be implemented as a\n\n           \xe2\x80\xa2     private cloud that is used by a single organization comprising multiple users\n                 (for example, businesses);\n           \xe2\x80\xa2     community cloud that is used by a specific community of individuals from\n                 organizations that have shared concerns (for example, mission, security\n                 requirements, policy, and compliance considerations);\n           \xe2\x80\xa2     public cloud that is used by the general public; or\n           \xe2\x80\xa2     hybrid mix of any of the above.\n\n\n           1\n               NIST, Special Publication 800-145, The NIST Definition of Cloud Computing, p. 2, September 2011.\n\x0cPage 2 - The Commissioner\n\nIn a December 2010 publication, 2 the Office of Management and Budget (OMB)\nmandated a shift to a Cloud First Policy. 3 Each agency\xe2\x80\x99s Chief Information Officer (CIO)\nwas required to identify three computer services that must move to a cloud and create a\nproject plan for migrating to a cloud solution and retiring the associated legacy\nsystems. 4 At least one of the three services was required to be fully migrated to a cloud\nwithin 12 months [by December 2011] 5 and the remaining two computer services within\n18 months [by June 2012]. 6\n\nWhen evaluating options for new IT deployments, OMB requires that agencies default to\na cloud-based solution when there is a secure, reliable, cost-effective cloud option. 7\nAdditionally, OMB stated each migration plan will include major milestones, execution\nrisks, adoption targets, and required resources as well as a retirement plan for legacy\nsystems once cloud solutions are online. 8\n\nIn February 2011, OMB published its Federal Cloud Computing Strategy, 9 which\nrequired that agencies modify their IT portfolios to fully take advantage of the benefits of\ncloud computing to maximize capacity use, improve IT flexibility and responsiveness,\nand minimize cost. Specifically, OMB required that each Federal agency reevaluate its\ntechnology sourcing strategy to include consideration and application of cloud\ncomputing solutions as part of the budget process. 10\n\nSSA submitted its initial Cloud First Plan to OMB in February 2011. That Plan identified\nthree initiatives the Agency planned to migrate to a cloud: Citizen Access Routing\nEnterprise (CARE) Through 2020, 11 email services, and electronic Freedom of\nInformation Act (eFOIA). 12 However, because of budget constraints and additional\n2\n OMB, 25 Point Implementation Plan to Reform Federal Information Technology (IT) Management,\nDecember 9, 2010.\n3\n  \xe2\x80\x9cCloud First\xe2\x80\x9d Policy is part of OMB\xe2\x80\x99s 25 Point Implementation Plan to Reform Federal IT Management,\nSection A, Part 3, pp. 6 through 8. This three-part strategy revolves around using commercial cloud\ntechnologies where feasible, launching private Government clouds, and using regional clouds with State\nand local governments where appropriate. OMB, supra at p. 7.\n4\n    Id.\n5\n    Id.\n6\n    Id.\n7\n    Id.\n8\n    OMB, supra at p. 8.\n9\n    OMB, Federal Cloud Computing Strategy, p. 2, February 8, 2011.\n10\n     Id.\n11\n  The CARE Through 2020 is replacing SSA\xe2\x80\x99s existing Call Center Network solution contract\xe2\x80\x94which\nprovides SSA with National 800 Number Network call center services. For additional details on CARE\nThrough 2020, see Appendix C, pp. 13 and 14.\n12\n     An automated electronic system used to process FOIA requests and administrative appeals.\n\x0cPage 3 - The Commissioner\n\nanalysis, SSA withdrew email services and eFOIA and substituted eVerify13 and\nAmerican Association of Motor Vehicle Administrators (AAMVA)/Help America Vote\nVerification (HAVV). 14 SSA submitted its revised Cloud First Plan to OMB on\nDecember 2, 2011. The Plan included CARE Through 2020 as a service in a public\ncloud and eVerify and AAMVA/HAVV as services in private clouds.\n\nTo accomplish our objectives, we interviewed SSA management and staff; compared\nSSA\xe2\x80\x99s cloud computing plan to OMB guidance and standards published by NIST;\nresearched cloud computing benefits and limitations; and contacted other Federal\nagencies on their cloud experiences. We also identified risks associated with moving\ncomputer services to a cloud. We did not limit our identification of risks to the three\ncomputer services SSA identified to move to a cloud. For more information on our\nscope and methodology, see Appendix B.\n\nRESULTS OF REVIEW\nBased on our interviews with SSA staff, analysis of the Agency\xe2\x80\x99s Cloud First Plan, and\ninquiries with other Federal agencies, we determined that SSA\xe2\x80\x99s Cloud First Plan\ngenerally complied with OMB requirements. However, we found the Agency needs to\ndevelop a service-based methodology to identify and track costs related to moving\ncomputer services to a cloud. For example, for the two computer services implemented\nin the cloud and the remaining computer service scheduled for implementation in\nDecember 2012, the Agency cannot demonstrate that it received an equal or greater\nreturn of investment (ROI) when moving these computer services to a cloud. The\nAgency does not have methodology to identify and track the costs associated with its\ncloud implementations including the costs associated with the retirement of its legacy\nsystems.\n\nFurther, we found the Agency identified execution risks, as required by OMB, 15 for the\nthree computer services planned for cloud implementation, but additional risks may\naffect the Agency\xe2\x80\x99s data and legacy systems. 16 Finally, we determined the Agency had\nalready partnered with some agencies; however, other opportunities existed.\n\n\n\n\n13\n  eVerify provides employers (and certain others) an automated link to Federal databases to help\nemployers determine employment eligibility of new hires and to ensure the Social Security number\nmatches the employee\xe2\x80\x99s name. For additional details on eVerify, see Appendix C, pp. 15 and 16.\n14\n  AAMVA /HAVV fulfills the Social Security Number Verification services requirement for State Motor\nVehicle Administrations and State-level Voter Registration Services. To meet these parallel\nrequirements, State Motor Vehicle Administrations and Voter Registration offices must verify the\napplicant\xe2\x80\x99s name, date of birth, and Social Security number with SSA. For additional details on AAMVA\n/HAVV, see Appendix C, pp. 17 and 18.\n15\n     OMB, 25 Point Implementation Plan to Reform Information Federal IT Management, \xc2\xa7 A, p. 8.\n16\n  We define legacy systems as systems or applications that have been inherited from languages,\nplatforms, and techniques earlier than current technology. For example, this would include applications\nprogrammed in Common Business Oriented Language.\n\x0cPage 4 - The Commissioner\n\nAlthough we identified some concerns, we applaud the Agency for cautiously moving\nservices to the cloud. SSA needs to decide whether the risks associated with moving\ncomputer services to a cloud outweigh the benefits to maximize capacity, improve IT\nflexibility and responsiveness, and minimize cost.\n\nSSA\xe2\x80\x99s Cloud First Plan Generally Met Federal Requirements but Could be\nImproved with the Development of a Service-Based Methodology for Identifying\nand Tracking Costs\n\nDuring our review, we found SSA\xe2\x80\x99s Cloud First Plan generally complied with Federal\nrequirements. However, we believe the Agency needs to develop a methodology to\nidentify and track costs associated with its cloud implementations. 17\n\nIn its revised Cloud First Plan, the Agency proposed to move three computer services to\na cloud:\n\n\xe2\x80\xa2     CARE Through 2020, 18\n\xe2\x80\xa2     eVerify, 19 and\n\xe2\x80\xa2     AAMVA/HAVV. 20\n\nThe Agency stated that eVerify and AAMVA/HAVV existed before OMB\xe2\x80\x99s Cloud First\nPolicy was issued and were selected to comply with OMB\xe2\x80\x99s mandated timeframes. 21\nWe requested documentation of OMB\xe2\x80\x99s approval of SSA\xe2\x80\x99s cloud first plan. SSA\nmanagement stated that based on discussions with OMB, the Agency\xe2\x80\x99s plan was\napproved. However, we determined that OMB never formally approved SSA\xe2\x80\x99s plan.\n\nOMB Circular A-130 22 states that Federal agencies must demonstrate a projected return\non investment (ROI) that is clearly equal to or better than alternative uses of available\npublic resources. However, SSA\xe2\x80\x99s revised Cloud First plan did not document whether\nmoving its computer services to a cloud achieved an equal or greater ROI than\nmaintaining its legacy systems because it did not have an appropriate service-based\nmethodology to identify and track costs associated with its cloud implementations. For\nexample, SSA identified costs for two projects, CARE Through 2020 and eVerify;\n\n\n17\n     OMB, 25 Point Implementation Plan to Reform Information Federal IT Management, \xc2\xa7 A, pp. 7 and 8.\n18\n  The infrastructure is complete, but the transition to SSA\xe2\x80\x99s site will not be completed until December\n2012.\n19\n     Service operational January 2011.\n20\n     Service operational January 31, 2012.\n21\n  Each agency\xe2\x80\x99s CIO was required to identify three computer services that must move to a cloud and\ncreate a project plan for migrating to a cloud solution and retiring the associated legacy systems. At least\none of the three computer services must be fully migrated to a cloud by December 2011 and the\nremaining two computer services by June 2012.\n22\n     OMB, Circular A-130, Management of Federal Information Resources, \xc2\xa7 8.b(1)(b)(v), p. 12.\n\x0cPage 5 - The Commissioner\n\nhowever, the Agency identified projected costs rather than actual or service-based\ncosts. 23 Furthermore, SSA did not calculate an ROI for eVerify or AAMVA/HAVV.\n\nWe question whether the Agency could calculate an accurate ROI because the Agency\ndoes not have an appropriate service-based methodology to identify and track costs\nassociated with moving computer services to a cloud. According to industry best\npractices, an IT service-based cost approach provides the total cost for a computer\nservice. The service-based cost methodology identifies and tracks IT costs or\nexpenditures and assigns, distributes, or allocates those costs/expenditures to the IT\nservices that generated them. If SSA had a service-based cost methodology, the\nAgency could determine the cost of the computer service being moved to the cloud. At\nthe time of this review, the Agency could not identify and track costs associated with its\ncloud initiatives.\n\nSSA identifies and tracks IT project costs using data and inputs from a variety of\nsystems. 24 For many years, we have been concerned about the Agency\xe2\x80\x99s inability to\nidentify and track the cost of its systems or IT projects. For example, our 2008 report on\nthe Reliability and Accuracy of the SSA\xe2\x80\x99s Exhibit 300 Submissions to the Office of\nManagement and Budget 25 stated SSA did not ensure the total costs for its major IT\nprojects were properly estimated and reported in Exhibits 300 to OMB. In one instance,\nestimated costs were based on incomplete analysis, which made the total estimated\nproject cost significantly different than the actual cost. In another instance, $18.8 million\nin historical costs for planning was excluded as project cost. Furthermore, our report on\nSSA\xe2\x80\x99s Software Modernization and Use of Common Business Oriented Language 26\nstated, \xe2\x80\x9cSSA provided no documentation that its current modernization approach\ncreated any additional efficiencies or stabilized its service delivery costs. Nor could\nSSA provide an allocation between the cost to maintain its legacy systems and its total\nIT maintenance cost.\xe2\x80\x9d Without this information, we could not determine whether SSA\xe2\x80\x99s\ninvestments in IT infrastructure created any additional efficiencies or reduced operation\ncosts. OMB estimates that about $20 billion of the Government\xe2\x80\x99s $80 billion in IT\nspending is potentially targeted for moving computer services to a cloud.\n\nSSA management stated that the Agency built its cloud strategy on a highly virtualized 27\nenvironment, which creates the impression of a device or resource, such as a server or\noperating system, where the framework divides the resource into multiple execution\n23\n     See pages C-14 and C-16 in Appendix C.\n24\n  Indirect and direct cost is administered for IT Systems Cost, Government and Contractor Labor using\nAutomated Purchase Requisition System, Resource Accounting System/Mainframe Time and Attendance\nSystem, and Contractor Actuals Reporting System.\n25\n  SSA OIG, Reliability and Accuracy of the SSA\xe2\x80\x99s Exhibit 300 Submissions to the Office of Management\nand Budget (A-14-08-18018), September 30, 2008.\n26\n  SSA OIG, The Social Security Administration\xe2\x80\x99s Software Modernization and Use of Common Business\nOriented Language (A-14-11-11132), May 17, 2012.\n27\n   Virtualization is the concept of masking IT resources in a way that the physical nature and boundaries\nof those resources are hidden from resource users. An IT resource can be a server, a client, storage,\nnetworks, applications or operating systems.\n\x0cPage 6 - The Commissioner\n\nenvironments. Partitioning a hard drive is considered virtualization because one drive is\ndivided into two hard drives. Virtualization is a characteristic of cloud computing;\nhowever, it does not fully incorporate all aspects of cloud computing.\n\nCloud computing uses virtualization to provide computing resources as a service or\nutility over public, semi-public, or private infrastructures. 28 Virtualization software allows\none physical machine to run multiple operating systems. For example, SSA could run\nMicrosoft and UNIX operating systems on the same server thereby reducing the number\nof servers required for its operations. Moreover, the virtualization software helps\nprovide complete and ongoing cost information to assist SSA in managing its IT\nbudgetary resources and align IT initiatives with Agency business goals.\n\nAccording to OMB, agencies should take steps during migration to ensure they fully\nrealize the expected value from provisioning cloud services. 29 Further, OMB guidance\nstates that, \xe2\x80\x9c. . . [f]rom an efficiency standpoint, legacy applications and servers should\nbe shut down and decommissioned or repurposed.\xe2\x80\x9d30 With CARE Through 2020, SSA\nstated that its National 800-Number Network 31 and Call Center Network Solution 32 were\nretired. SSA identified sections of its existing eVerify system that were replaced.\nHowever, for AAMVA /HAVV, the Agency did not retire any of its legacy systems. To\nfurther demonstrate the Agency\xe2\x80\x99s operating savings for moving computer services to a\ncloud, SSA should track and account for cost savings derived from retiring its legacy\nsystems or using them for other purposes. SSA could reinvest the costs saved or\nrealize cost savings by using segments or entire legacy systems to meet other needs\nthat would otherwise require additional outlays.\n\nIn summary, we found SSA\xe2\x80\x99s Cloud First plan generally complied with Federal\nrequirements. However, since Federal agencies are encouraged to acquire secure,\nreliable, and cost-effective cloud options, SSA needs to develop a service-based\nmethodology that identifies and tracks the cost for moving computer services to a cloud.\nThis would include the costs of retiring a segment or an entire legacy system.\nTherefore, we recommend SSA develop a service-based methodology 33 to identify and\ntrack costs including the costs of retiring segments or entire legacy systems for all IT\ninitiatives so the Agency can determine whether moving computer services to a cloud\nprovides an equal or greater ROI than keeping the status quo.\n\n\n28\n Virtualization Special Interest Group PCI Security Standards Council, Information Supplement: PCI\nDSS Virtualization Guidelines, Virtualization Overview, 2.2.6 Cloud Computing, p. 9, June 2011.\n29\n     OMB, Federal Cloud Computing Strategy, pp. 15-16, February 8, 2011.\n30\n     OMB, Federal Cloud Computing Strategy, p. 16, February 8, 2011.\n31\n     SSA\xe2\x80\x99s National 800 Number Network provides toll-free telephone service to members of the public.\n32\n   SSA\xe2\x80\x99s Call Center Network solution allows routing of calls to the next available agent at any network\nsite.\n33\n   The Agency should first determine whether the service-based cost allocation methodology is cost\neffective.\n\x0cPage 7 - The Commissioner\n\nRisks to Agency Data When Moving Computer Services to a Cloud\nSSA met OMB requirements by identifying execution risks associated with moving\nCARE Through 2020, eVerify, and AAMVA /HAVV to a cloud (see Table 1).\n\n\n                            Table 1: SSA Identified Execution Risks\n\n                                                        CARE\n                                                       Through                      AAMVA/HAVV\n Risk Description                                        2020          eVerify       Verification\n Acquisition or installation of storage to support\n the new node is not timely                                                                 \xe2\x80\xa2\n Database migration failure                                                \xe2\x80\xa2\n Incomplete management information systems                  \xe2\x80\xa2\n Incomplete supporting application                          \xe2\x80\xa2\n development and testing\n Internet Data Center construction incomplete               \xe2\x80\xa2\n or not-operational\n Load balancing configurations failure                                     \xe2\x80\xa2\n Network connectivity not completed timely                                                  \xe2\x80\xa2\n Production execution scripts failure                                      \xe2\x80\xa2\n Routing configurations failure                                            \xe2\x80\xa2\n Scope change requests                                      \xe2\x80\xa2\n SSA data processing fails to account for\n transactions flow through the Second Support                                               \xe2\x80\xa2\n Center 34\n SSA\xe2\x80\x99s recipient master file data replication\n incomplete.                                                                                \xe2\x80\xa2\n System migration failure                                                  \xe2\x80\xa2\n\nSSA needs to consider all potential risks to its data or legacy systems when moving\ncomputer services to a cloud. To assist the Agency, we provide a list of the risks\nassociated with moving computer services to a cloud in Appendix D. The list is not all-\ninclusive; therefore, SSA should continue to consider all potential risks to its data or\nlegacy systems before moving future computer services to a cloud.\n\nOpportunities to Partner with Other Federal Agencies\n\nSSA partnered with the Department of Homeland Security (DHS) and State MVAs on\neVerify and AAMVA/HAVV. In addition, SSA had data exchange agreements with DHS\nand State agencies to access and match SSA\xe2\x80\x99s data. Moreover, SSA provided network\n\n\n\n34\n  The Second Support Center is a co-processing facility that works hand-in-hand with the National\nComputer Center to process critical agency workloads, and each center acts as the disaster backup for\nthe workloads of the other center.\n\x0cPage 8 - The Commissioner\n\nand IT support services to the Office of Child Support Enforcement and limited IT\nsupport and services to the Railroad Retirement Board and Centers for Medicare and\nMedicaid Services.\n\nWe contacted nine Federal agencies 35 to obtain their experiences and lessons learned\nfrom moving computer services to a cloud. Two of the nine agencies implemented a\npublic cloud service while seven agencies moved computer services to either a private,\ncommunity, or hybrid cloud. SSA implemented a private cloud service for eVerify and\nAAMVA/HAVV. This was consistent with the nine agencies we contacted. Agency\nrepresentatives provided their experiences and lessons learned from moving computer\nservices to a cloud. These experiences and lessons learned were as follows.\n\n\xe2\x80\xa2    Realizing consumption of cloud services requires a shared responsibility and\n     governance.\n\xe2\x80\xa2    Understanding accountability and compliance with Government requirements cannot\n     be outsourced.\n\xe2\x80\xa2    Understanding the division of security responsibilities between provider and client,\n     and the ability to verify that both are met.\n\xe2\x80\xa2    Realizing certification and accreditation process is new for cloud vendors as well as\n     time consuming.\n\xe2\x80\xa2    Adhering to directives, legislation, policy, and procedures to ensure appropriate\n     analysis, reviews, and procedures are conducted.\n\xe2\x80\xa2    Involving end user community in the decision process for migrating computer\n     services to a cloud.\n\xe2\x80\xa2    Completing documentation ahead of time for any service level agreements and\n     Request for Information. 36\n\nCloud Initiatives of Other Federal Agencies\n\nOther Federal agencies have implemented cloud computing services. The Department\nof the Interior implemented an Infrastructure as a service 37 offering called the National\nBusiness Center Grid, 38 which allowed end users to procure a variety of servers and\n\n\n\n35\n  The Agency for International Development; DHS; Departments of Agriculture, Commerce, the Interior,\nand Veterans Affairs; Environmental Protection Agency; General Services Administration; and Internal\nRevenue Service.\n36\n  A Request for Information is a standard business process used to collect written information about the\ncapabilities of various suppliers.\n37\n   Infrastructure as a service refers to a hosting, software, hardware, procurement, and services needed\nto run a cloud.\n38\n  Hannah Wald, Cloud computing for the Federal Community, IAnewsletter, (13/2), Vol. 13, No. 2,\n(Spring 2010). http://iac.dtic.mil/iatac/download/Vol13_No2.pdf.\n\x0cPage 9 - The Commissioner\n\noperating systems through a single cloud portal. DHS implemented SharePoint as a\nservice offering and implemented more than 50,000 emails to a cloud. 39\n\nThe National Oceanic and Atmospheric Administration contracted with a Maryland\ncompany to unify its email and collaboration tools using Google Apps for Government.\nThe National Oceanic and Atmospheric Administration\xe2\x80\x99s email and collaboration tools\nserve about 25,000 users. The Securities and Exchange Commission reduced the time\nto resolve cases by up to 75 percent by migrating the Office of Investor Education and\nAdvocacy to Salesforce.com, a customer relationship management software. This\nsoftware cloud initiative allowed its employees to handle customer queries from any\nlocation and manage their workflows. The National Archives and Records\nAdministration contracted with a technology firm to build a self-service Website for\ncitizens who need help resolving eFOIA proposal requests. 40\n\nFederal Risk and Authorization Management Program\n\nThe Federal Risk and Authorization Management Program (FedRAMP) was established\non December 8, 2011 via an official memorandum from the Federal Chief Information\nOfficer to all Federal CIOs. FedRAMP was operational as of June 2012. FedRAMP is a\nGovernmentwide program that provides a standardized approach to security\nassessment, authorization, and continuous monitoring for cloud products and services.\nThis approach uses a \xe2\x80\x9cdo once, use many times\xe2\x80\x9d framework that will save costs, time,\nand staff required to conduct redundant agency security assessments. FedRAMP could\nprovide the SSA with a Governmentwide, standardized approach for security\nassessments, ongoing assessments, authorizations, and continuous monitoring of cloud\nservice providers, if needed.\n\nWe applaud SSA for its outreach and partnering with other agencies. However, we\nbelieve more outreach opportunities exist that could provide additional experiences and\nlessons learned from moving computer services to a cloud. Therefore, we recommend\nSSA continue reaching out to officials responsible for FedRAMP; other Federal, State,\nand local government agencies; as well as private industry to obtain best practices and\nlessons learned before moving its computer services to a cloud.\n\nCONCLUSION AND RECOMMENDATIONS\nEach Federal agency is required to re-evaluate its technology sourcing strategy to\ninclude consideration and application of cloud computing solutions as part of the budget\nprocess. 41 SSA\xe2\x80\x99s Cloud First Plan generally complied with Federal requirements, but\nimprovements are needed in estimating and tracking costs. Additionally, SSA identified\nexecution risks for each of its three proposed cloud initiatives as required by OMB.\n\n39\n   Cloud Computing, Front and Center, CIO.gov, (June 15, 2012)\nhttp://www.cio.gov/pages.cfm/page/Cloud-Computing-Front-and-Center .\n40\n   5 Big Cloud Migration Projects, Government Executive, (March 1, 2012)\nhttp://www.govexec.com/reports/five-big-cloud-migration-projects/41288/.\n41\n     OMB, Federal Cloud Computing Strategy, p. 2, February 8, 2011.\n\x0cPage 10 - The Commissioner\n\nHowever, we identified additional risks to the Agency\xe2\x80\x99s data or legacy systems that SSA\nshould consider when expanding computer services to a cloud. Finally, the Agency\npartnered with other agencies, but additional opportunities exist for the Agency to\npartner in the future. Therefore, as the Agency continues to develop its cloud\ncomputing implementation plans, we recommend SSA:\n\n1. Develop a service-based methodology to identify and track costs including the costs\n   of retiring segments or entire legacy systems for all IT initiatives so the Agency can\n   determine whether moving computer services to a cloud provided an equal or\n   greater ROI than keeping the status quo.\n\n2. Consider all potential risks to its data or legacy systems before moving future\n   computer services to a cloud.\n\n3. Continue reaching out to FedRAMP program officials; other Federal, State, and local\n   government agencies; as well as private industry to obtain best practices and\n   lessons learned before moving its computer services to a cloud.\n\nAGENCY COMMENTS\nSSA disagreed with our recommendations. See Appendix E for the full text of the\nAgency\xe2\x80\x99s comments.\n\nIn reference to Recommendation 1, the Agency stated it disagreed with our\nrecommendation because SSA is currently investigating the feasibility and cost\neffectiveness of implementing a service-based cost allocation methodology to\ncomplement the Agency\xe2\x80\x99s existing IT cost tracking mechanism. SSA further stated it\nintends to identify the most productive, technically feasible, and cost-effective strategies\nfor the development and deployment of the processes and tools that may be required to\nidentify and track the costs of IT business services delivered to the Agency\xe2\x80\x99s\ncommunity.\n\nIn reference to Recommendation 2, the Agency stated it disagrees with our\nrecommendation because it has taken comprehensive measures to ensure appropriate\nand effective risk assessment and mitigation for all IT projects. Additionally, the security\nand privacy control deployed to protect information assets incorporates and exceeds the\nadditional risk categories identified in the report.\n\nFinally, in reference to Recommendation 3, the Agency stated it disagreed with our\nrecommendation because it actively engages in efforts to identify and refine private\nindustry cloud computing best practices. Further, the Agency stated that it evaluates\nlessons learned from early adopters at any level of Government or the private sector.\nAdditionally, SSA stated that industry best practices and lessons learned play a\nprominent role in the evolution of its cloud computing strategies and implementation\nplans.\n\x0cPage 11 - The Commissioner\n\nOIG RESPONSE\nAlthough the Agency response to Recommendations 1 and 3 indicate disagreement, the\nplanned course of action addresses the concerns we have raised. For Recommendations 1\nand 3, the Agency\xe2\x80\x99s detailed response contradicts its \xe2\x80\x9cdisagreement\xe2\x80\x9d to our\nrecommendations. For Recommendation 1, SSA disagrees with developing a service-based\nmethodology when the Agency\xe2\x80\x99s is in fact \xe2\x80\x9c. . . investigating the feasibility and cost\neffectiveness of implementing a service-based cost allocation methodology . . . .\xe2\x80\x9d Further, for\nRecommendation 3, SSA disagreed to continue its outreach efforts, but stated in its response\n\xe2\x80\x9c. . . we actively maintain an ongoing relationship with the General Services Administration,\nOMB, and the Federal Risk and Authorization Management Program (FedRAMP) officials to\nensure that our cloud computing initiatives and activities remain consistent with Federal\npolicies, guidelines, and security provisions.\xe2\x80\x9d\n\nWhile SSA stated that it disagreed with Recommendation 2, the Agency\xe2\x80\x99s detailed\nresponse stated\n\n      We have an existing private cloud IT environment protected by a\n      comprehensive defense-in-depth security architecture. . . . We have taken\n      comprehensive measures to ensure appropriate and effective risk assessment\n      and mitigation for all IT projects. The security and privacy controls we\n      deployed to protect our information assets, incorporate and exceed the\n      additional risk categories identified in the report.\n\n      . . . we also recognize the immaturity of public cloud computing offerings.\n      . . . Therefore, we continue to maintain a highly vigilant posture with respect to\n      the effective protection of these systems and assets since the deployment of\n      any cloud-based solution may affect them.\n\n      . . . Our current security controls and standards continue to apply whether we\n      deliver IT services through our internal, private cloud; through an external,\n      public cloud; or through some hybrid of both.\n\n      Our cloud computing strategy continues to address relevant statutory and\n      policy requirements associated with Federal IT systems, including IT security\n      and risk management; privacy; data integrity; legal issues; records\n      management; OMB and the National Institute of Standards and Technology\n      guidelines and recommendations; and other applicable requirements.\n\nThe OIG believes that as long as these efforts are completed timely and effectively, they\nwill address this recommendation.\n\n\n\n\n                                            Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 SSA\xe2\x80\x99s Cloud First Plan\nAPPENDIX D \xe2\x80\x93 Risks Associated with Moving Computer Services to a Cloud\nAPPENDIX E \xe2\x80\x93 Agency Comments\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                              Appendix A\n\nAcronyms\n\nAAMVA     American Association of Motor Vehicle Administrators\nCARE      Citizen Access Routing Enterprise\nCIGIE     Council of Inspectors General on Integrity and Efficiency\nCIO       Chief Information Officer\nDHS       Department of Homeland Security\neFOIA     Electronic Freedom of Information Act\nFedRAMP   Federal Risk and Authorization Management Program\nGAO       Government Accountability Office\nHAVV      Help America Vote Verification\nIG        Inspector General\nIT        Information Technology\nNIST      National Institute of Standards and Technology\nOMB       Office of Management and Budget\nROI       Return on Investment\nSP        Special Publication\nSSA       Social Security Administration\n\x0c                                                                      Appendix B\n\nScope and Methodology\nTo accomplish our objective, we limited our review to the three computer services the\nSocial Security Administration (SSA) identified as moving to the cloud. We identified\nrisks associated with moving any type of computer service to a cloud. We did not limit\nour identification of risks to the three computer services SSA identified to move to the\ncloud.\n\nWe also:\n\n\xe2\x80\xa2   Interviewed SSA Systems staff responsible for the Agency\xe2\x80\x99s cloud computing\n    services.\n\xe2\x80\xa2   Obtained and reviewed SSA\xe2\x80\x99s original and revised Cloud First Plan.\n\xe2\x80\xa2   Interviewed personnel at nine Federal agencies.\n\n           o   Agency for International Development\n           o   Department of Agriculture\n           o   Department of Commerce\n           o   Department of Homeland Security\n           o   Department of the Interior\n           o   Department of Veteran Affairs\n           o   Environmental Protection Agency\n           o   General Services Administration\n           o   Internal Revenue Service\n\nWe also examined:\n\n\xe2\x80\xa2   Office of Management and Budget (OMB), Federal Cloud Computing Strategy,\n    February 8, 2011.\n\xe2\x80\xa2   OMB, 25 Point Implementation Plan to Reform Federal Information Technology\n    Management, December 9, 2010.\n\xe2\x80\xa2   OMB, Circular A-130. Management of Federal Information Resources,\n    November 28, 2000.\n\xe2\x80\xa2   OMB, Circular A-11, Section 210, Preparing and Submitting an Agency Strategic\n    Plan, August 18, 2011.\n\xe2\x80\xa2   OMB, Circular A-11, Section 300, Planning, Budgeting, Acquisition, and\n    Management of Capital Assets, August 18, 2011.\n\n\n\n\n                                           B-1\n\x0c\xe2\x80\xa2   OMB, Circular A-11, Section 53, Information Technology and E-Government,\n    August 18, 2011.\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP)\n    800-145, The NIST Definition of Cloud Computing, September 2011.\n\xe2\x80\xa2   NIST, SP 500-291, NIST Cloud Computing Standards Roadmap, July 2011.\n\xe2\x80\xa2   NIST, SP 500-292, NIST Cloud Computing Reference Architecture, September\n    2011.\n\xe2\x80\xa2   NIST, SP 800-146, FINAL Cloud Computing Synopsis and Recommendations,\n    May 2012.\n\nWe performed our evaluation during September 2011 through June 2012 in Baltimore,\nMaryland. The entity evaluated was the Office of the Deputy Commissioner for\nSystems. We conducted our review in accordance with the Council of the Inspectors\nGeneral on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation.\n\n\n\n\n                                          B-2\n\x0c                                            Appendix C\n\nSSA\xe2\x80\x99s Cloud First Plan\n\n\n\n\n                Cloud First Plan\n                    (Revised and Updated)\n\n\n\n\n                 December 2, 2011\n\n\n\n\n                             C-1\n\x0c                  TABLE OF CONTENTS\n\n1.     Executive Summary................................................................................................... 3\n\n2.     Background.................................................................................................................. 6\n\n3.     SSA\xe2\x80\x99s Cloud Computing Strategy ........................................................................... 9\n\n4.     Designated Cloud-First Projects ........................................................................ 13\n     4.1.     CARE Through 2020 ..................................................................................................... 13\n\n     4.2.     eVerify High Availability Platform .......................................................................... 15\n\n     4.3.     AAMVA/HAVV Verification Services ...................................................................... 17\n\n\n\n\n                                                                 C-2\n\x0c1. Executive Summary\nIn December, 2010 Vivek Kundra published his Twenty-Five Point Plan for Reforming Federal IT Management.\nIn that Plan, OMB mandated that:\nEach Agency CIO will be required to identify three \xe2\x80\x9cmust move\xe2\x80\x9d services and create a project plan for\nmigrating each of them to cloud solutions and retiring the associated legacy systems. Of the three, at\nleast one of the services must fully migrate to a cloud solution within 12 months and the remaining two\nwithin 18 months.\nEach migration plan will include major milestones, execution risks, adoption targets, and required resources,\nas well as a retirement plan for legacy services once cloud services are online.\n\nIn February, 2011, the Social Security Administration (SSA) submitted its original Cloud-First Plan to OMB\nand identified three initiatives that the Agency planned to migrate to a cloud solution or that represented\nan extension of, or enhancement to, an existing cloud solution:\n\xe2\x80\xa2   CARE Through 2020\n\xe2\x80\xa2   eMail Services\n\xe2\x80\xa2   eFOIA\n\nDue to subsequent budget developments and additional analysis, SSA is removing eFOIA and\nthe Agency\xe2\x80\x99s eMail services from its Cloud-First Plan at this time and substituting the eVerify\nand American Association of Motor Vehicle Administrators (AAMVA) solutions for its Cloud First\nPlan. This decision is based on multiple factors in each case.\n\neFOIA\nAn automated electronic system (eFOIA) supports SSA\xe2\x80\x99s management of its obligations under the Freedom of\nInformation Act (FOIA). The Agency\xe2\x80\x99s staff use the eFOIA system to process requests and administrative\nappeals within the timeframes mandated by the statute and to minimize backlogs at the end of each fiscal\nyear. The existing eFOIA system is an internally developed and maintained system that uses Global 360\n(G360) \xe2\x80\x93 a custom tailored, commercially available software (customized COTS) solution. Software licenses\nand associated infrastructure are supplied under existing, competitive-procurement vehicles. The eFOIA\nsystem is based on aging architecture and infrastructure. Future costs are expected to increase and the long\nterm viability of the system will diminish. The existing system needs to be retired as soon as it is feasible to\ndo so. However, it does continue to meet its baseline goals and to deliver its expected benefits.\n\n\n\n\n                                                       C-3\n\x0cIn expectation of a near-term replacement of the Agency\xe2\x80\x99s existing eFOIA system, SSA personnel evaluated\nthe five-year life cycle costs of seven options/alternatives to the existing system. Cost estimates for the\nproposed alternatives were based on market research of the potential offerors specializing in FOIA COTS.\nIn addition, SSA evaluated each of these alternatives on the basis of qualitative measures.\n\nThis analysis indicates that a COTS product \xe2\x80\x93 which could be deployed under one of multiple cloud-based\nmodel options \xe2\x80\x93 would have the greatest qualitative value for the Government. SSA understands that other\nFederal agencies (e.g., HUD and VA) have developed and/or deployed an eFOIA system that might, with\nminimal adaptation, meet SSA\xe2\x80\x99s existing and future needs. It was further noted that such an approach would\nbe fully consistent with OMB\xe2\x80\x99s Cloud First policies.\n\nHowever, severe limitations in funding and staff resources necessitate suspending the project for FY 2012.\nSSA\xe2\x80\x99s existing eFOIA system continues to meet its base requirements and the Agency has no alternative but\nto allocate its limited resources to other initiatives that have more critical or urgent needs and that must\ntherefore take a higher priority.\n\neMail Services\nSubsequent to submission of SSA\xe2\x80\x99s original Cloud First Plan, additional planning and analysis concluded that\nthe Agency\xe2\x80\x99s existing eMail services are not a good candidate (at this time) for migration to a public cloud\nmodel for several reasons:\n\xe2\x80\xa2     They are deeply integrated with other services applications, processes and functions \xe2\x80\x93 including identity\n      verification services, user authentication and authorization services, access controls, collaboration and\n      communications services, etc.;\n\xe2\x80\xa2     They are an integral component of SSA\xe2\x80\x99s unified communications service strategy and architecture;\n\xe2\x80\xa2     They are used for mission-critical case processing management services and functions;\n\xe2\x80\xa2     Users and user groups are not well segmented with common requirements within each segment \xe2\x80\x93 a\n      basic requirement for successful migration to a public cloud solution;\n\xe2\x80\xa2     Personally identifiable information (PII) \xe2\x80\x93 some of which includes highly sensitive medical records \xe2\x80\x93\n      cannot be exposed to a potential breach of privacy by allowing such information to reside anywhere\n      other than within SSA\xe2\x80\x99s own environment;\n\xe2\x80\xa2     SSA\xe2\x80\x99s existing eMail service cost less than the projected costs for similar services from a public cloud\n      provider.\n\n\n\n\n                                                       C-4\n\x0cSSA will continue to extend and enhance its eMail services within the context of its broader unified\ncommunications suite of services. These ongoing activities extend beyond the timeframes specified by\nOMB in the 25 Point Plan. Accordingly, the Agency must withdraw eMail (as a stand-alone utility) from\nconsideration as a Cloud-First initiative.\n\nSSA is continuing its implementation of CARE Through 2020 \xe2\x80\x93 a cloud telephony service that will\nsignificantly enhance the Agency\xe2\x80\x99s public services.\n\nTo replace eFOIA and eMail services as Cloud First initiatives, SSA identified two other initiatives, each\nof which is a component of the Agency\xe2\x80\x99s SSN Verification Services. These initiatives are described in\nthe relevant section below.\nSSA \xe2\x80\x99s Overall Cloud Computing Strategy\nSSA considers the advent of Cloud Computing as an effective and evolutionary model to enhance and extend\nthe information and IT services it delivers to its end-users, business partners, and customers. Going forward,\nSSA\xe2\x80\x99s strategy is to adopt Private Cloud Computing as the model that is most consistent with its mission and\nits business operations models. This strategy allows SSA to leverage Cloud Computing in order to extend the\nservice capabilities of its existing IT environment. The use of the Cloud Computing model \xe2\x80\x93 consistent with\nthe Agency\xe2\x80\x99s risk management framework and its certification and accreditation standards \xe2\x80\x93 is encouraged\nwithin the framework of SSA\xe2\x80\x99s centrally managed enterprise architecture governance as well as its IT service\nacquisition and source selection processes.\n\xe2\x80\xa2     The Agency\xe2\x80\x99s current security controls and standards will continue to apply \xe2\x80\x93 no matter what\n      hosting/sourcing decision is being made \xe2\x80\x93 i.e., whether IT services are being delivered through the\n      Agency\xe2\x80\x99s internal, private cloud; through an external, public cloud; or through some hybrid combination\n      of both.\n\xe2\x80\xa2     SSA\xe2\x80\x99s Cloud Computing strategy will continue to address relevant statutory and policy requirements\n      associated with Federal IT systems \xe2\x80\x93 including IT security and risk management; privacy; data integrity;\n      legal issues (e.g., Terms of Service); records management; OMB and NIST guidelines and\n      recommendations; and other applicable requirements.\n\nSSA\xe2\x80\x99s commitment to protecting personally identifiable information (PII) remains a key component of\nthe Agency\xe2\x80\x99s Cloud Computing strategy and is built into the operation and management of its existing\nprivate cloud services environment.\n\n\n\n\n                                                        C-5\n\x0c2. Background\nSSA is utilizing Cloud Computing as an effective and evolutionary model to enhance and extend the\ninformation and IT services it delivers to its end-users, business partners, and customers.\n\nSSA is a single-mission Agency. Its core business processes (i.e., Enumeration, Earnings, Claims, Post-\nEntitlement, Informing the Public, and Identity/SSN Verifications) are tightly inter-woven. They are also highly\ncomplex in their information flow and relationships. The data and information requirements of these core\nbusiness processes, and their mutual inter- dependencies, require an IT service environment that provides\ninformation and services based on common platforms, re-usable service modules, robust any-to-any network\nsystems and back-end IT infrastructure. Additionally, given the sensitive nature of the highly personal\ninformation and data within SSA\xe2\x80\x99s systems of records, data integrity and security as well as the protection of\nindividual privacy are critical IT service requirements.\n\nThe design and management of SSA\xe2\x80\x99s IT service environment have evolved over time. As a result of that\nevolution, the environment has substantially taken on the characteristics of a Private Cloud Computing\nmodel as defined by the National Institute of Standards and Technology (NIST):\n\xe2\x80\xa2     Utilizing SSA\xe2\x80\x99s IT services environment, end-users do not need to determine their exact resource\n      requirements. Through secure access to the Agency\xe2\x80\x99s network systems, they are provided the necessary\n      communications and computing resources they require, on demand;\n\xe2\x80\xa2     Through effective monitoring systems, load-balancing mechanisms and automatic failover capabilities,\n      the design and operation of SSA\xe2\x80\x99s IT infrastructure and platforms \xe2\x80\x93 hosted in two highly virtualized data\n      centers \xe2\x80\x93 provide for streamlined and optimized resource utilization and management;\n\xe2\x80\xa2     IT service resources are pooled to a significant degree. They are shared across large numbers of\n      application and organizational configurations and serve a broad spectrum of service consumers;\n\xe2\x80\xa2     SSA\xe2\x80\x99s Service Orchestration and Management model leverages SSA\xe2\x80\x99s highly configured and largely\n      virtualized data centers, allowing the Agency to consolidate workloads and applications on a centrally\n      managed and operated IT infrastructure;\n\xe2\x80\xa2     The capacity of network and telecommunications systems and computing services is provisioned to\n      respond to variations in demand across programmatic and administrative applications;\n\xe2\x80\xa2     Systems capacity requirements are efficiently planned for, and pro-actively acquired, to meet increasing\n      workload demands through effective management of Resource Allocations and Controls;\n\n\n\n\n                                                       C-6\n\x0c\xe2\x80\xa2     Redundant resources support high availability and reliability as well as to provide IT operational\n      assurance, even in the event of a catastrophic outage within a specific data center.\n\nSSA\xe2\x80\x99s IT services are centrally managed through:\n\xe2\x80\xa2     Deployment, configuration, management and operation of programmatic and administrative software\n      applications in such a manner that these services are provisioned at expected service levels;\n\xe2\x80\xa2     Management of computing services, storage, and network systems infrastructure and platforms such as\n      servers, databases, runtime software execution stacks, and middleware components;\n\xe2\x80\xa2     Provision of integrated pre-production environments for both programmatic and administrative\n      application development, validation and testing;\n\xe2\x80\xa2     Change Management and Production-Release Management processes applied to infrastructure,\n      platforms, applications and services;\n\xe2\x80\xa2     Provisioning and acquisition management of mainframe, open/distributed servers, network system\n      components, storage, and application and database hosting infrastructure;\n\xe2\x80\xa2     Provisioning and management of a robust Security and Privacy architecture for the protection of SSA\xe2\x80\x99s\n      sensitive and personally identifiable information (PII).\n\nThe SSA community represents multiple groups of service consumers/end-users with many needs and\nrequirements. SSA accordingly delivers a broad range of IT services that are carefully orchestrated to meet the\nneeds of each of these groups. SSA\xe2\x80\x99s end-users, partners and customers have a broad range of network\naccess options to obtain an equally broad range of IT services and computing capabilities tailored to their\nspecific needs. Services are provided on demand (as appropriate) at each of the service layers to which the\nindividual end-user or customer has access.\n\nTo a substantial degree, the Agency\xe2\x80\x99s IT resources are pooled to meet the needs of these multiple users.\nThrough the deployment of load balancing and automatic failover capabilities, IT resources can be\ndynamically allocated to adjust to variations in peak end-user/customer demand. SSA\xe2\x80\x99s IT service capabilities\n\xe2\x80\x93 particularly within its highly virtualized mainframe environment \xe2\x80\x93 can be rapidly and elastically provisioned.\nSSA\xe2\x80\x99s various cloud systems monitor, control and optimize IT resource utilization.\n\n\n\n\n                                                       C-7\n\x0cThe following are some of the services SSA currently provides to its end-users, customers, or business\npartners:\n\xe2\x80\xa2     Programmatic application services directly associated with SSA\xe2\x80\x99s core business processes;\n\xe2\x80\xa2     A unified communications suite including eMail, video-teleconferencing, video training, collaboration\n      environments, etc.;\n\xe2\x80\xa2     Document Management Services;\n\xe2\x80\xa2     Office Productivity and Workload Management Services;\n\xe2\x80\xa2     Integrated Case Processing Management Services;\n\xe2\x80\xa2     Communication and Collaboration Services;\n\xe2\x80\xa2     Remote Access Services;\n\xe2\x80\xa2     Project Management Services;\n\xe2\x80\xa2     Business Intelligence Services;\n\xe2\x80\xa2     Financial Management Services;\n\xe2\x80\xa2     Database Access and Management Services;\n\xe2\x80\xa2     Application Development, Validation and Testing Services;\n\xe2\x80\xa2     Application Deployment Services;\n\xe2\x80\xa2     Integration and Interoperability Testing Services;\n\xe2\x80\xa2     Disaster Recovery Services;\n\xe2\x80\xa2     Backup and Recovery Services;\n\xe2\x80\xa2     Information and Data Storage Services;\n\xe2\x80\xa2     Platform Hosting Services;\n\xe2\x80\xa2     Computing Services;\n\xe2\x80\xa2     Identity Verification Services; and\n\xe2\x80\xa2     Authentication Services.\n\nSSA has substantially improved resource utilization; streamlined demand management; increased the\navailability, reliability and responsiveness of the services it delivers. The evolution of SSA\xe2\x80\x99s shared-service IT\nenvironment toward a Private Cloud Computing model has allowed the Agency to capitalize its benefits in\nterms of efficiency, agility, and innovation. By further leveraging Private Cloud Computing principles, SSA will\ncontinue to exploit significant economies of scale, provisioning its IT resources to meet increasing service\ndelivery demands with minimal overhead while leveraging the underlying capacity of the Agency\xe2\x80\x99s enterprise-\nlevel IT resources through a state-of-the-art network architecture.\n\n\n\n\n                                                       C-8\n\x0c3. SSA\xe2\x80\x99s Cloud Computing Strategy\nSSA is adopting a Private Cloud Computing model because it is seen as most consistent with its mission and its\nbusiness operations models. This strategy allows the Agency to effectively leverage the Cloud Computing\nmodel in order to extend the service capabilities of its existing IT environment. Resources permitting, SSA\xe2\x80\x99s\nplanned Cloud Computing initiatives include, but\nare not limited to:\n\xe2\x80\xa2     Further enhancing dynamic scaling capabilities and processing capacity provisioning by continuing with\n      network virtualization and server virtualization/consolidation initiatives;\n\xe2\x80\xa2     Incorporating highly sophisticated technological enhancements to the IT infrastructure, systems and\n      platforms \xe2\x80\x93 including statelessness, low coupling, modularity, and semantic interoperability;\n\xe2\x80\xa2     Improving the provisioning, performance, agility, resilience and scalability of SSA\xe2\x80\x99s network systems\n      through unified cabling infrastructure, and network convergence and virtualization;\n\xe2\x80\xa2     Enhancing IT service measurement capabilities through greater instrumentation of the infrastructure\n      and the applications, data and services it supports.\n\nSSA will continue to ensure that existing mission-critical services, strategic goals and business operation\nrequirements are delivered at levels that meet or exceed requirements while simultaneously protecting the\nsecurity, integrity and privacy of information and data assets. The Agency\xe2\x80\x99s commitment to protecting\npersonally identifiable information (PII) is a key component of its Cloud Computing strategy.\n\nSSA encourages the use of the Cloud Computing model, consistent with its:\n\xe2\x80\xa2     Risk management framework;\n\xe2\x80\xa2     Certification and accreditation standards;\n\xe2\x80\xa2     Centrally-managed enterprise architecture governance model; and\n\xe2\x80\xa2     IT service acquisition and source selection processes.\n\nSSA\xe2\x80\x99s current security controls and standards will continue to apply \xe2\x80\x93 no matter what hosting/sourcing\ndecision is being made \xe2\x80\x93 i.e., whether IT services are being delivered through the Agency\xe2\x80\x99s internal, private\ncloud; through an external, public cloud; or through some hybrid combination of both. The Agency\xe2\x80\x99s Cloud\nComputing strategy must continue to address relevant statutory and policy requirements associated with\nFederal IT systems \xe2\x80\x93 including IT security and risk management; privacy; data integrity; legal issues (e.g.,\nTerms of Service); records management; OMB and NIST guidelines and recommendations; and other\napplicable requirements.\n\n\n\n\n                                                      C-9\n\x0cMultiple strategic and operational considerations will govern the way SSA leverages and extends the\ncapabilities of its existing IT environment as it continues its migration to a Private Cloud Computing\nenvironment:\n\nWorkload Optimization\nSSA\xe2\x80\x99s computing services platform and its network infrastructure will be configured for optimized\nworkload management.\n\xe2\x80\xa2     Mainframe and distributed platform environments will continue to leverage their respective\n      strengths;\n\xe2\x80\xa2     The mainframe platform will continue to be favored for dense, mission-critical, high volume\n      batch operations;\n\xe2\x80\xa2     Applications will be hosted on the platform most suited to the data they must access and the type of\n      work (I/O, user interface, transaction-based) they must perform;\n\xe2\x80\xa2     State-specific applications are being consolidated or replaced in favor of Service Oriented Architecture\n      (SOA) model services that can be reused and assembled to suit state-specific processes;\n\xe2\x80\xa2     Distributed platform components will continue to be virtualized and consolidated to provide\n      higher levels of availability, resource utilization, and elasticity of capacity.\n\nIP-based Network Service Delivery\nThe Agency\xe2\x80\x99s any-to-any, dual-stack, IPv4/IPv6 network architecture will continue as a hybrid public/private\ncloud infrastructure.\n\xe2\x80\xa2     Network systems will converge toward a single infrastructure supporting data, voice, and video traffic;\n\xe2\x80\xa2     Utilizing the Internet Protocol (IP), the Agency\xe2\x80\x99s converged network will provide enhanced features in\n      terms of telephone services, video capabilities, and data exchange and analysis.\n\n\n\n\n                                                      C-10\n\x0cUtilization of Public Cloud Resources Where Appropriate and Cost Effective\nSourcing options for the delivery of IT services include consideration of critical requirements. SSA continues\nto include consideration of cloud-based services that may be more cost- effectively delivered through an\nexternal resource \xe2\x80\x93 either another Government Agency or a commercial provider/vendor, as long as:\n\xe2\x80\xa2     There is no Personally Identifiable Information (PII) or other mission critical data involved; AND\n\xe2\x80\xa2     The choice of a public/hybrid cloud model is cost-effective with a clear and demonstrable Return on\n      Investment (ROI) to the Agency.\n\nAs with any IT service/sourcing project, the use of public or hybrid clouds requires a formal\ncost-benefit analysis to demonstrate a positive value (i.e., return on investment (ROI)) as well as appropriate\nsecurity and privacy review and approval where PII may be a concern.\n\nUtilization of Technologies Related to Cloud Computing\nSSA\xe2\x80\x99s IT planners and engineers continue to focus their efforts on evaluating and deploying enhanced IT\nsolutions that leverage network-delivered, web-based services to users and to the public through a broad\nspectrum of end-user devices and network interfaces.\n\nThe Agency\xe2\x80\x99s existing IT environment will continue to leverage the benefits of virtualization,\nconsolidation, and workload optimization to increase resource utilization and processing efficiency.\n\nOn an ongoing basis, the Agency will continue to enhance the flexibility and agility of its existing IT services\nand infrastructure through deployment of new technologies as they are found to support and enhance SSA\xe2\x80\x99s\nservice delivery models and channels.\n\nSSA continues to evaluate IT services and business operations activities to identify those that that might be\nbetter provided by external partners whose services and capabilities meet the specific requirements of the\nAgency and the Federal Government at large. This evaluation focuses on areas where the existing IT\nenvironment is not well suited to meet exigent demands.\n\n\n\n\n                                                       C-11\n\x0cLeveraging Cloud-based IT Service Delivery and Management\n\xe2\x80\xa2     IT operations management will continue its emphasis on service delivery and\n      management.\n\xe2\x80\xa2     New and evolving technologies will be evaluated and deployed based on their value in enhancing and\n      extending the services provided to SSA\xe2\x80\x99s end-user communities.\n\xe2\x80\xa2     Consideration and evaluation of IT service delivery include an assessment of activities or services that\n      might be good candidates for greater standardization, outsourcing, and/or deployment within a Cloud\n      Computing service model.\n\xe2\x80\xa2     Consideration of Cloud Computing resources will continue to represent one of the available means to\n      provide, extend and enhance high quality IT services to the Agency\xe2\x80\x99s end-users.\n\nImplementing Cloud-based IT Acquisitions Policies and Procedures\n\xe2\x80\xa2     IT acquisition and sourcing policies and procedures ensure that valid and demonstrable business\n      value remains the foundation for all decisions regarding the deployment of IT services and solutions\n      (including those that are cloud-based).\n\xe2\x80\xa2     The development, acquisition, and deployment of IT solutions and services will continue to be based on\n      robust and mature business value considerations \xe2\x80\x93 specifically a thorough analysis of costs, benefits,\n      and expected return on investment (ROI).\n\xe2\x80\xa2     While SSA\xe2\x80\x99s IT services environment is highly cost-effective, senior managers and Agency executives\n      continue to evaluate IT-related proposals in terms of the most cost-effective delivery model and will\n      consider the costs and benefits of Cloud Computing solutions within strategic planning and source\n      modeling.\n\nBy coordinating these strategic elements within planning and IT service delivery and operations management,\nSSA expects to continue to reap the benefits of the Cloud Computing model.\n\n\n\n\n                                                     C-12\n\x0c4. Designated Cloud-First Projects\nIn response to OMB\xe2\x80\x99s December 2010 directive, SSA has identified three initiatives, which are described in\nthe following sections.\n\n4.1.    CARE Through 2020\nOn September 30, 2010, the CARE Through 2020 contract was awarded to at&t. CARE Through\n2020 is a cloud telephony solution that is replacing National 800 Number (N8NN) and the Call Center\nNetwork Solution (CCNS). CARE Through 2020 allows SSA to achieve a number of economies by\nconsolidating the two existing contracts into a single acquisition vehicle.\n\nCARE Through 2020 is being deployed to provide and enhance the telephone services the Agency provides to\nthe public. The infrastructure for the CARE Through 2020 system is being deployed on the contractor\xe2\x80\x99s\nnetwork and is flexible enough to support future computer- telephony integrated (CTI) services, such as click\nto talk, web co-browse, and web chat technologies. These services will significantly increase the public\xe2\x80\x99s\noptions to interact with the Agency\xe2\x80\x99s contact centers.\n\nThe public cloud services architecture of CARE Through 2020 includes:\n\xe2\x80\xa2      A vendor-hosted IP voice call/contact center;\n\xe2\x80\xa2      All functionality currently provided by FTS2001 and CCNS;\n\xe2\x80\xa2      Approved new functionality as offered in SSA\xe2\x80\x99s Telephone Services Strategic Plan;\n\xe2\x80\xa2      Capability to integrate additional agent contact channels upon approval of funding.\n\nScheduled implementation of CARE Through 2020 is on target for completion in the May/June,\n2012 timeframe.\n\nMajor Milestones\nSSA\xe2\x80\x99s original Cloud Computing Strategy Plan projected that the initial rollout of the CARE Through 2020\nproject would be completed by the end of December, 2011. However, issues related to the final contract\naward delayed the start of the project. As a result, the current projected date of completion is the third\nquarter of FY 2012 (i.e., approximately the May/June timeframe).\n\n\n\n\n                                                       C-13\n\x0cExecution Risks\n\xe2\x80\xa2       Internet Data Center construction incomplete or not-operational\n\xe2\x80\xa2       Scope Change Requests\n\xe2\x80\xa2       Supporting application development and testing incomplete\n\xe2\x80\xa2       Management information systems incomplete\n\nLifecycle Cost Estimate\n\xe2\x80\xa2       Initial Acquisition:                               $ 20,674,000\n\xe2\x80\xa2       Transition Costs:                                  $ 38,381,000\n\xe2\x80\xa2       FY 2012 Operations & Maintenance:                  $ 58,088,000\n\xe2\x80\xa2       FY 2013 Operations & Maintenance                   $ 59,290,000\n\xe2\x80\xa2       FY 2014 Operations & Maintenance                   $ 60,635,000\n\xe2\x80\xa2       FY 2015 Operations & Maintenance                   $ 62,754,000\n\xe2\x80\xa2       FY 2016 Operations & Maintenance                   $ 64,941,000\n\xe2\x80\xa2       FY 2017 Operations & Maintenance                   $ 67,215,000\n\xe2\x80\xa2       FY 2018 Operations & Maintenance                   $ 69,571,000\n\xe2\x80\xa2       FY 2019 Operations & Maintenance                   $ 71,997,000\n\nTotal                                                      $573,546,000\n\nNOTE: SSA\xe2\x80\x99s initial cost estimate for CARE Through 2020 ($ 630,344,000) included $56,798,000 Operations and\nMaintenance costs for FY 2011. Because of delays in contract award, the transition period was extended into FY\n2012. The estimate above does not therefore include the planned FY 2011 Operations and Maintenance costs.\n\nLegacy Retirement Plan\nWith the deployment of CARE Through 2020, SSA\xe2\x80\x99s existing N8NN and CCNS solutions will be retired in favor\nof the single, streamlined service.\n\n\n\n\n                                                             C-14\n\x0c 4.2. eVerify High Availability Platform\neVerify provides employers (and certain others) an automated link to federal databases to help employers\ndetermine employment eligibility of new hires and to ensure the Social Security number matches the\nemployees name. It is currently free to employers and is available in all 50 states. eVerify is operated by the\nU.S. Citizenship and Immigration Services (USCIS) \xe2\x80\x93 a component of the Department of Homeland Security\n(DHS) \xe2\x80\x93 in partnership with the Social Security Administration (SSA).\n\nIn operational terms, DHS/USCIS provides eVerify\xe2\x80\x99s front-end interface with the customer (i.e., the employers\nand certain others). SSA provides DHS/USCIS the back-end infrastructure and database systems that actually\nperform the verification. This back-end infrastructure, platform and software/database system is comprised\nof a physical layer and an abstraction layer. The physical layer is designed to provide load balancing between\nSSA\xe2\x80\x99s data centers and features fully automatic fail-over, dynamic capacity allocation capability, etc. This\nback-end infrastructure is accessed by DHS/NSCIS over a secure Internet connection. The abstraction layer is\ndesigned to support the software and database systems that operate across the\nphysical layer (i.e., the hardware and network connections).\n\nA Service Level Agreement (SLA) between SSA and DHS/NSCIS governs the operation of this verification\nservice. The latter Agency reimbursed SSA for the design, construction and deployment of the isolated\nenvironment in which the back-end eVerify system operates. It reimburses SSA on an annual basis for\nmaintenance, operations and administration of the system.\n\nSSA has completed the deployment of a second eVerify node in its Second Support Center (SSC) to enhance\nthe availability, performance and reliability of the services provided to DHS/NSCIS. The creation of this second\nnode in a geographical dispersed location eliminates planned downtime and enhances the performance\navailability and reliability of the system.\nThe implementation of this project was completed in January, 2011.\n\nMajor Milestones\n\xe2\x80\xa2     Target Architecture Design Completion: 06/30/2010\n\xe2\x80\xa2     Complete Required Hardware/Software Acquisitions: 11/30/2010\n\xe2\x80\xa2     Begin Construction of Integration Region on High Availability Sysplex: 12/01/2010\n\xe2\x80\xa2     Begin Construction of Production Region on High Availability Sysplex: 12/11/2010\n\xe2\x80\xa2     Complete Migration from MISF to HAF/iHAF: 01/15/2011\n\xe2\x80\xa2     Verify operational status on HAF/iHAF: 01/17/2011\n\xe2\x80\xa2     Configure Global Load Balancing: 01/22/2011\n\xe2\x80\xa2     Evaluate Performance and Response Times: 01/31/2011\n\n\n\n\n                                                       C-15\n\x0cLifecycle Cost Projections\nSSA\xe2\x80\x99s life cycle cost estimate for fiscal years 2010 through 2015 of almost $66 million includes:\n\xe2\x80\xa2     Approximately $14 million in costs that have already been incurred for developing the Isolated\n      Environment, which was designed for dedicated use by DHS;\n\xe2\x80\xa2     $18 million for fiscal years 2010 through 2013 to maintain this system; and\n\xe2\x80\xa2     $34 million for fiscal years 2010 through 2015 to provide administrative support to SSA field offices and\n      a toll-free number to respond to inquiries.\n\nUnder the terms of the SLA with DHS, SSA is fully reimbursed for these costs. Execution Risks\n\xe2\x80\xa2     Production Execution Scripts Fail\n\xe2\x80\xa2     Routing Configurations Fail\n\xe2\x80\xa2     Load Balancing Configurations Fail\n\xe2\x80\xa2     System Migration Failure\n\xe2\x80\xa2     Database Migration Failure\n\nLegacy Retirement Plan\nThe instances of eVerify in the Integration and Production regions of the MISF have been removed.\n\n\n\n\n                                                      C-16\n\x0c4.3. AAMVA/HAVV Verification Services\nState Motor Vehicle Administrations (MVAs) which are responsible for the issuance of driver\xe2\x80\x99s licenses and\nstate-certified identification cards must verify an individual applicant\xe2\x80\x99s identity prior to issuing the license or\nidentification card. To do so, the MVA\xe2\x80\x99s must verify the applicant\xe2\x80\x99s name, date of birth, and Social Security\nNumber (SSN) with SSA. Similarly, State- level Voter Registration Services require the same type of\nverification services.\n\nTo meet these service demands, under a series of written agreements, SSA and the American Association of\nMotor Vehicle Administrators (AAMVA) have established cloud-based system that allows state-level motor\nvehicle and voter registration offices to verify the identity of individuals applying for a driver\xe2\x80\x99s license,\nidentification card or who are seeking to register to vote. As with eVerify, AAMVA provides the front-end\nweb-service through which State MVA\xe2\x80\x99s and Voter Registration offices are able to access SSA\xe2\x80\x99s SSN\nverification services. SSA provides and maintains the back-end infrastructure and verification services.\n\nA Service Level Agreement (SLA) between SSA and AAMVA governs this SSN verification service. The\narchitecture of the AAMVA platform provides a broad range of features and functionality.\n\nTo enhance the availability, performance and reliability of the services provided, SSA is establishing a second\nAAMVA node in its Second Support Center (SSC. The creation of this second node in a geographical dispersed\nlocation provides for automatic load balancing and failover/recovery capability \xe2\x80\x93 ensuring the availability and\nreliability of the system in providing the critical services required by AAMVA and its clients/customers.\nAdditional enhancements to the infrastructure and platform provide greater performance and reduced\nresponse times.\n\nThe implementation of this project is nearing completion. The second node will be fully operational\nby January 31, 2012.\n\nMajor Milestones\n\xe2\x80\xa2      Finalize Network Connectivity Requirements: 06/30/2011\n\xe2\x80\xa2      Finalize Storage Capacity Requirements: 07/15/2011\n\xe2\x80\xa2      Storage installed and configured: 09/30/2011\n\xe2\x80\xa2      Configuration of Integration region completed: 09/30/2011\n\xe2\x80\xa2      Integration region configuration validated and verified: 10/15/2011\n\xe2\x80\xa2      Configuration of Production region completed: 10/31/2011\n\xe2\x80\xa2      Acquisitions/procurements completed: 10/31/2011\n\xe2\x80\xa2      Production region configuration validated and verified: 12/15/2011\n\xe2\x80\xa2      Verification service applications tested operational: 01/31/2012\n\n\n\n\n                                                        C-17\n\x0cLifecycle Costs\nThere were no new ITS costs associated with this project. SSA utilized existing infrastructure, platform and\ndata service capabilities to provision the second AAMVA node in the SSC.\n\nUnder the terms of the SLA, AAMVA reimburses SSA for the costs of delivering this service to\nAAMVA and its client agencies.\n\nExecution Risks\n\xe2\x80\xa2     Network connectivity is not completed (timely).\n\xe2\x80\xa2     Storage to support the new node is not acquired or installed (timely).\n\xe2\x80\xa2     SSA data processing fails to account for transactions flowing through the SSC.\n\xe2\x80\xa2     NUMIDENT data replication infrastructure incomplete.\nLegacy Retirement Plan\nNot applicable. There is no legacy system to retire in this instance.\n\n\n\n\n                                                       C-18\n\x0c                                                                             Appendix D\n\nRisks Associated with Moving Computer\nServices to a Cloud\nThe National Institute of Standards and Technology (NIST), the Inspector General (IG)\ncommunity, the Government Accountability Office (GAO), and cloud subject matter\nexperts have identified the following risks associated with moving computer services to\na cloud. This list is not all-inclusive; therefore the Social Security Administration (SSA)\nshould consider all potential risks to its data or legacy systems before moving future\ncomputer services to a cloud.\n\nNIST\n\nNIST Special Publication 800-146 1 discusses various risks related to moving services to\na cloud. These risks include the following.\n\n    Computer Performance \xe2\x80\x93 Different types of computer applications require different\nlevels of system performance. For example, email is generally tolerant of short service\ninterruptions, but industrial automation and real-time processing generally require both\nhigh performance and a high degree of predictability. Cloud computing has similar\nperformance issues that include time delays, off-line data synchronization, and data\nstorage management.\n\n    Cloud Reliability - Reliability refers to the probability that a system will function\nwithout failure for a specified period of time within a specified environment. For the\ncloud, reliability is broadly a function of the reliability of four components: (1) the\nhardware and software facilities providers offer; (2) the provider\xe2\x80\x99s personnel;\n(3) connectivity to the subscribed services; and (4) the subscriber\xe2\x80\x99s personnel. Cloud\nreliability depends on several factors, including network dependency, cloud provider\nservice or utility outages, and safety-critical workload processing.\n\n   Economic Goals - Cloud computing offers an opportunity to use computing\nresources with small or modest up-front costs. The related risks are business\ncontinuity, service-level agreement evaluations, portability of workloads, interoperability\nbetween cloud providers, and disaster recovery.\n\n   Compliance - The subscriber retains the responsibility for compliance when data or\nprocessing is moved to a cloud but the provider (having direct access to the data) may\nbe in the best position to enforce compliance rules. Therefore, compliance should be\n\n1\n NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, \xc2\xa7\xc2\xa7 8.1 \xe2\x80\x93 8.5, pp.\n8-1 through 8-9, May 2012.\n\n\n                                               D-1\n\x0caddressed contractually and include terms related to lack of visibility into how clouds\noperate, physical data location, jurisdiction and regulation pertaining to clouds (that is,\nHealth Information Protection and Accountability Act, Federal Information Security\nManagement Act of 2002, etc.), and support for forensics in a cloud.\n\n    Information Security - Pertains to protecting the confidentiality and integrity of data\nand ensuring data availability. Information security risks includes those risks associated\nwith unintended data disclosure, data privacy, system integrity, multi-tenancy 2 clouds,\nbrowser use, hardware support, and management of cryptographic keys.\n\nIG Community\n\nThe Council of Inspectors General on Integrity and Efficiency (CIGIE) identified similar\nrisks as NIST. These risks included data security and regulatory compliance in moving\nservices to a cloud. Furthermore, the IG community identified the following areas of\nconcerns when moving services to the cloud.\n\n\xe2\x80\xa2   Access to information\n\xe2\x80\xa2   Asset availability\n\xe2\x80\xa2   Software maintenance\n\xe2\x80\xa2   Intellectual property language\n\nCIGIE stated Federal agencies should have access to real time and archived data\nfacilitating the agency\xe2\x80\x99s ability to audit and investigate without incurring additional cost.\nAdditionally CIGIE expressed concerns about vendor compatibility with agency cloud\nservices. CIGIE also noted issues with estimating outage time for hardware and\nsoftware updates, fulfilling certification and accreditation requirements, and addressing\npatch management and version control. Moreover, CIGIE stated agencies need to\ninclude cloud agreement language that protects the Government while setting vendor\nboundaries. 3\n\nGAO\n\nGAO cited concerns about potential information security risks associated with cloud\ncomputing. These concerns were identified through information collected and analyzed\nfrom industry groups, private sector organizations, and NIST as well as a survey of\n24 Federal agencies. Specifically, GAO reported the risks to moving computer services\nto a cloud included\n\n\n\n2\n In cloud computing, multi-tenancy is the phrase used to describe multiple customers using the same\npublic cloud.\n3\n IT Investigations Subcommittee of the Council of Inspectors General on Integrity and Efficiency Cloud\nComputing Working Group, pp. 1-6, 2011, Cloud Computing Contracting Concerns.\n\n\n                                                  D-2\n\x0c\xe2\x80\xa2      the possibility that vendor security controls may be ineffective or noncompliant,\n\xe2\x80\xa2      potential loss of governance and physical control of agency data,\n\xe2\x80\xa2      cloud provider insecure or ineffective deletion of agency data, and\n\xe2\x80\xa2      inadequate background and security investigations for service provider employees.\n\nAdditionally, GAO noted concerns about the increased risk associated with multi-\ntenancy resources and risk of data interception resulting from the increase in data\ntransmission volume. 4\n\nCloud Subject Matter Experts\n\nCloud Subject Matter Experts identified risks associated with moving computer services\nto a cloud. These risks include\n\n\xe2\x80\xa2      resolution of cyber security risk; 5\n\xe2\x80\xa2      failure to move entire legacy system application, functions, and features; 6\n\xe2\x80\xa2      failure of cloud solution to meet its financial objectives;\n\xe2\x80\xa2      difficulty to develop and integrate cloud services due to the complexity of the service;\n\xe2\x80\xa2      failure to recover cloud services after a disaster; and 7\n\xe2\x80\xa2      loss of customization. 8\n\n\n\n\n4\n  GAO, Information Security, Testimony before the Committee on Oversight and Government Reform and\nIts Subcommittee on Government Management, Organization and Procurement, House of\nRepresentatives, pp. 3 and 4, July 1, 2010.\n5\n TechAmerica, TechAmerias\xe2\x80\x99s Twenty-First Annual Survey of Federal Chief Information Officers, Section\nCybersecurity, p. 2, May 2011.\n6\n    Id. at p. 25.\n7\n ZDNet, Eight cloud computing risks, and how to quash them, September 28, 2011.\nhttp://www.zdnet.com/blog/service-oriented/eight-cloud-computing-risks-and-how-to-quash-them/7752.\n8\n    Barrie Sosinsky, Wiley Publishing, Cloud Computing Bible, p. 18, 2011.\n\n\n                                                    D-3\n\x0c                  Appendix E\n\nAgency Comments\n\x0c                                                   Social Security\nMEMORANDUM\n\n\nDate:      September 11, 2012                                                      Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cCloud Computing at the Social Security\n           Administration\xe2\x80\x9d (A-14-12-11226)\xe2\x80\x94INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Amy Thompson at (410) 966-0569.\n\n           Attachment\n\n\n\n\n                                                         E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cCLOUD COMPUTING AT THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x9d\n(A-14-12-11226)\n\n\nGeneral Comment\n\nAt the top of page 5, the report states, \xe2\x80\x9c...OMB never formally approved SSA\xe2\x80\x99s plan.\xe2\x80\x9d We\nbelieve this statement should be qualified, as it has been a matter of standard practice that the\nOffice of Management and Budget (OMB) does not provide such formal, written approvals. By\nomitting this information, it infers that OMB chose to withhold its approval and that our cloud\ncomputing efforts are somehow deficient. While we do not dispute the strictly factual accuracy\nof the statement, we do object to its negative implication when made outside a context that\nignores OMB\xe2\x80\x99s standard practice.\n\nResponse to Recommendations\n\nRecommendation 1\n\nDevelop a service-based methodology to identify and track costs including the costs of retiring\nsegments or entire legacy systems for all IT initiatives so the Agency can determine whether\nmoving computer services to a cloud provided an equal or greater ROI than keeping the status\nquo.\n\nResponse\n\nWe disagree. As we presented several times during the course of this review, we previously\nidentified the need for service-based cost allocation models and methodologies. We are\ncurrently investigating the feasibility and cost effectiveness of implementing a service-based cost\nallocation methodology to complement our existing Information Technology (IT) cost tracking\nmechanisms. We are obtaining the input and support of subject matter experts through one of\nour existing contract vehicles. In addition, we intend to identify the most productive, technically\nfeasible and cost-effective strategies for the development and deployment of the processes and\ntools that may be required to identify and track the costs of IT business services delivered to our\ncommunity.\n\nRecommendation 2\n\nConsider additional potential risks to its data or legacy systems before moving future computer\nservices to a cloud.\n\nResponse\n\nWe disagree. We have an existing private cloud IT environment protected by a comprehensive\ndefense-in-depth security architecture. These mechanisms will continue as critical elements of\nour cloud computing strategy as noted in our Cloud First Plan. We have taken comprehensive\n\n\n                                               E-2\n\x0cmeasures to ensure appropriate and effective risk assessment and mitigation for all IT projects.\nThe security and privacy controls we deployed to protect our information assets, incorporate and\nexceed the additional risk categories identified in the report.\n\nIn addition to our comprehensive and robust risk assessment and mitigation, we also recognize\nthe immaturity of public cloud computing offerings. This immaturity represents a substantial\nand concrete risk to the security, confidentiality, privacy, and integrity of the highly sensitive\npersonal and acquisition-related data and information housed within our systems. Therefore, we\ncontinue to maintain a highly vigilant posture with respect to the effective protection of these\nsystems and assets since the deployment of any cloud-based solution may affect them.\n\nFinally, we continue to maintain the policy that interdicts the deployment of any cloud solution\nthat could potentially jeopardize the security, privacy, confidentiality, or integrity of personally\nidentifiable information by allowing it to reside beyond the protection of our own security\nauthorization boundaries. Our current security controls and standards continue to apply whether\nwe deliver IT services through our internal, private cloud; through an external, public cloud; or\nthrough some hybrid of both.\n\nOur cloud computing strategy continues to address relevant statutory and policy requirements\nassociated with Federal IT systems, including IT security and risk management; privacy; data\nintegrity; legal issues; records management; OMB and the National Institute of Standards and\nTechnology guidelines and recommendations; and other applicable requirements.\n\nRecommendation 3\n\nContinue reaching out to FedRAMP program officials; other Federal, State, and local\ngovernment agencies; as well as private industry to obtain best practices and lessons learned\nbefore moving its computer services to a cloud.\n\nResponse\n\nWe disagree. As we presented during this review, we actively maintain an ongoing relationship\nwith the General Services Administration, OMB, and the Federal Risk and Authorization\nManagement Program (FedRAMP) officials to ensure that our cloud computing initiatives and\nactivities remain consistent with Federal policies, guidelines, and security provisions.\n\nWe actively engage in efforts to identify and refine private industry cloud computing best\npractices. We also evaluate lessons learned from early adopters at any level of government or\nthe private sector. Industry best practices and lessons learned play a prominent role in the\nevolution of our cloud computing strategies and implementation plans.\n\n\n\n\n                                               E-3\n\x0c                                                                          Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n   Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Cheryl Dailey, Auditor-in-Charge\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-14-12-11226.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'